How eCommerce changes with new consumer and privacy regulations?
eCommerce is exponentially becoming regulated as a consequence of recent decisions and changes of consumer and privacy laws.
Maybe not everyone knows that I was “borne” as an eCommerce lawyer assisting for almost 100% of my time some global eCommerce operators and ePayment providers in the launch and operation of their Italian business. I still deal a lot with eCommerce, but together with a number of other things!
And below is my personal list of the top 5 regulatory topics to bear in mind in setting up an eCommerce platform, following recent regulatory changes:
1. Are your eCommerce Ts&Cs fair?
Ts&Cs of eCommerce platforms have been traditionally “very” one sided, especially if they are the result of the localisation of American websites. However, the Italian antitrust authority that has jurisdiction in Italy also on consumer related matters can identify clauses that it considers “unfair” and therefore null and void.
- Liability exclusions that were considered too wide;
- The possibility for WhatsApp to interrupt the service without reason or advance notice;
- A right granted to WhatsApp to terminate the contract in any moment and for any reason and not allowing anymore users to access/use the services, without granting the same right to the users;
- The reference to the laws of the State of California as governing law and the reference to the courts of the U.S. District Court for the Northern District of California or the State Court of California for disputes;
- The right granted to WhatsApp to terminate “orders” without refunds for the services offered, without clarifying the circumstances under which those actions would be carried out;
- The prevalence of the English version of the contract over the Italian version accepted by Italian users.
Some of the clauses listed above are a kind of “market standard” especially in common law countries. Therefore this decision (which follows some other similar decisions on unfair clauses) shows the level of changes to be adopted in order to localise Ts&Cs not only to Italian law, but in general to European law as regulations on unfair terms are provided by the European Consumer Rights Directive.
2. Have your one-sided clauses been “expressly” approved?
The Italian civil code provides that the one-sided clauses of standard agreements (i.e. TS&Cs) are not enforceable towards the party that has not drafted the agreement (i.e. the consumer in most of the cases), unless the latter has approved the one-sided clauses of the agreement expressly in writing.
This was an obstacle almost impossible to overcome in case of eCommerce platforms as the delivery of a document with a written signature was considerably delaying the transaction. However, as discussed here, a recent regulatory change provided that the requirement of the “written document” might be met by an electronic document executed by a mere “electronic signature” of any kind that would include also a point and click if adopted after an adequate process of identification.
There are still some precautions to be considered for the approval of the Ts&Cs of one-sided clauses of Italian eCommerce platforms in order to comply with the requirement above, but this is a kind of “ground breaking” change.
3. Did you link to the online dispute resolution platform?
As discussed in this blog post, the European Commission has now established an online platform for the handling of disputes between traders and consumers relating not only to eCommerce sales, but open to any kind of B2C sale.
eCommerce operators and online marketplaces – including gaming websites for instance – are obliged to add a link to the online dispute resolution platform on their website. This provision is in line with what provided by the Consumer Rights EU Directive under which, in case of B2C distance or off premises contracts, the trader has to inform the consumer about the possibility of having recourse to an out-of-court complaint and redress mechanism to which the trader is subject and the methods for having access to it.
My personal experience is that there is no much trust towards this platform that only puts in contact and facilitates the communication between the parties involved. But it is an obligation that cannot be ignored.
4. Did you comply with distance sale obligations?
The level of transparency towards consumers required by the EU Consumer Rights Directive has considerably increased. A number of information has to be disclosed to consumers in the Ts&Cs, including among others
- a reminder of the existence of a legal guarantee of conformity for goods which is a very tricky topic since the European directive on the sale of consumer goods provides for a statutory two year guarantee, while some operators in the past tried to show such guarantee as an additional service provided against the payment of a dedicated fee; and
- whether the right of withdrawal from the agreement within 14 days applies and the circumstances in which consumers might lose such right e.g. in case of customisation of the product or provision of digital contents downloaded before the expiry of the withdrawal term, but the list of exclusions is quite detailed and its applicability requires a deep assessment.
The result of the above is that it is not possible to merely “translate” the Ts&Cs of a US platform in order to sell products/services in the European Union. A thorough localization is needed.
5. Is your customers’ profiling compliant with privacy regulations?
Without going into too much details with reference to the changes to be implemented to eCommerce platforms as a consequence of both the European General Data Protection Regulation and the ePrivacy Regulation, there is no doubt that online platforms exponentially rely on cookies, fingerprinting, analytics and try to collect as much information as possible about their users to customise their offering.
Subject to the peculiarities of individual cases,
- profiling activities will require a separate and specific consent to the performance of profiling activities which cannot be included in a broader marketing consent; and
- according to the current draft of the ePrivacy Regulation, cookies and fingerprinting will require a prior consent, save for the technical cookies and analytics cookies. And it is not clear whether the modalities of collection of such consents currently provided by data protection authorities will be valid also under the GDPR and the ePrivacy Regulation.
Only one year is left before the effective date of the GDPR. This time window should be used in order to collect GDPR compliant privacy consents necessary to perform marketing activities and in particular profiling activities, as none can afford the fines prescribed by the EU General Data Protection Regulation.
If you found this article interesting, please share it on your favourite social media!
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at email@example.com or firstname.lastname@example.org or via phone at +39 334 688 1147.